Overview of the Sponge, Duplex and Farfalle constructions Gilles Van Assche 1 1 STMicroelectronics Summer school on real-world crypto and privacy Šibenik, Croatia, June 2019 Based on joint work with Elena Andreeva, Guido Bertoni, Joan Daemen, Seth Hoffert, Bart Mennink, Michaël Peeters, Ronny Van Keer 1 / 59
Outline The duplex construction Deck functions and modes Farfalle The full-state keyed duplex construction The outer keyed sponge and duplex constructions Keyed applications 4 The sponge construction 1 Unkeyed applications 3 Why permutation-based cryptography? 2 Modern generic security Hashing requirements Security notions for hashing 2 / 59
Security notions for hashing The sponge construction Deck functions and modes Farfalle The full-state keyed duplex construction The outer keyed sponge and duplex constructions Keyed applications 4 The duplex construction Unkeyed applications Outline 3 Why permutation-based cryptography? 2 Modern generic security Hashing requirements Security notions for hashing 1 3 / 59
Security notions for hashing The sponge construction Deck functions and modes Farfalle The full-state keyed duplex construction The outer keyed sponge and duplex constructions Keyed applications 4 The duplex construction Unkeyed applications Hashing requirements 3 Why permutation-based cryptography? 2 Modern generic security Hashing requirements Security notions for hashing 1 Outline 4 / 59
Security notions for hashing Hashing requirements … Applications 5 / 59 Cryptographic hash functions h : { 0 , 1 } ∗ → { 0 , 1 } n I n p u t me s s a g e D i g e s t Signatures : sign RSA ( h ( M )) instead of sign RSA ( M ) Key derivation : master key K to derived keys ( K i = h ( K ∥ i )) Bit commitment , predictions : h ( what I know ) Message authentication : h ( K ∥ M )
Security notions for hashing Hashing requirements … Applications 5 / 59 Cryptographic hash functions h : { 0 , 1 } ∗ → { 0 , 1 } n I n p u t me s s a g e D i g e s t Signatures : sign RSA ( h ( M )) instead of sign RSA ( M ) Key derivation : master key K to derived keys ( K i = h ( K ∥ i )) Bit commitment , predictions : h ( what I know ) Message authentication : h ( K ∥ M )
Security notions for hashing Hashing requirements … Applications 5 / 59 Cryptographic hash functions h : { 0 , 1 } ∗ → { 0 , 1 } n I n p u t me s s a g e D i g e s t Signatures : sign RSA ( h ( M )) instead of sign RSA ( M ) Key derivation : master key K to derived keys ( K i = h ( K ∥ i )) Bit commitment , predictions : h ( what I know ) Message authentication : h ( K ∥ M )
Security notions for hashing Hashing requirements … Applications 5 / 59 Cryptographic hash functions h : { 0 , 1 } ∗ → { 0 , 1 } n I n p u t me s s a g e D i g e s t Signatures : sign RSA ( h ( M )) instead of sign RSA ( M ) Key derivation : master key K to derived keys ( K i = h ( K ∥ i )) Bit commitment , predictions : h ( what I know ) Message authentication : h ( K ∥ M )
Security notions for hashing Hashing requirements Generalized: extendable output function (XOF) “XOF: a function in which the output can be extended to any length. ” [Ray Perlner, SHA-3 workshop 2014] Applications Signatures : full-domain hashing, mask generating function Key derivation : as many/long derived keys as needed 6 / 59 h : { 0 , 1 } ∗ → { 0 , 1 } ∗ Stream cipher : C = P ⊕ h ( K ∥ nonce )
Security notions for hashing Hashing requirements Modern security requirements Hash or XOF h with n -bit output Modern security requirements h behaves like a random mapping … up to security strength s Classical security requirements, derived from it Preimage resistance Second-preimage resistance Collision resistance 7 / 59 2 min ( n , s ) 2 min ( n , s ) 2 min ( n / 2 , s )
Security notions for hashing The sponge construction Deck functions and modes Farfalle The full-state keyed duplex construction The outer keyed sponge and duplex constructions Keyed applications 4 The duplex construction Unkeyed applications Modern generic security 3 Why permutation-based cryptography? 2 Modern generic security Hashing requirements Security notions for hashing 1 Outline 8 / 59
Security notions for hashing Modern generic security Generic security: indistinguishability 9 / 59 Adversary D must tell apart the ideal function: a monolithic random oracle RO construction S [ F ] calling an ideal primitive F Express Pr ( success |D ) as a function of total cost of queries N Problem: in real world, F is available to adversary
Security notions for hashing Modern generic security Generic security: indistinguishability 9 / 59 Adversary D must tell apart the ideal function: a monolithic random oracle RO construction S [ F ] calling an ideal primitive F Express Pr ( success |D ) as a function of total cost of queries N Problem: in real world, F is available to adversary
Security notions for hashing Modern generic security Generic security: indifferentiability [Maurer et al. (2004)] Applied to hash functions in [Coron et al. (2005)] additional interface, covered by a simulator at right 10 / 59 distinguishing mode-of-use from ideal function ( RO ) covers adversary with access to primitive F at left
Security notions for hashing Modern generic security Generic security: indifferentiability [Maurer et al. (2004)] Methodology: 10 / 59 build P that makes left/right distinguishing diffjcult prove bound for advantage given this simulator P P may query RO for acting S -consistently: P [ RO ]
Security notions for hashing Modern generic security Generic security: indifferentiability [Maurer et al. (2004)] 10 / 59 � D RO , P [ RO ] )� ( D S [ F ] , F ) ( Adv ( q ) = − Pr � ≤ ϵ ( q ) � � � Pr
Security notions for hashing Modern generic security Consequences of indifferentiability do pre-image attack Can be generalized to any attack 11 / 59 Let D : n -bit output pre-image attack. Success probability: for random oracle: P pre ( D|RO ) = q 2 − n for our construction: P pre ( D|S [ F ]) = ? A distinguisher D with Adv ( q ) = P pre ( D|S [ F ]) − P pre ( D|RO ) if success, conclude our construction; otherwise, RO But we have a proven bound Adv ( q ) ≤ ϵ ( q ) , so P pre ( D|S [ F ]) ≤ P pre ( D|RO ) + ϵ ( q )
Security notions for hashing Modern generic security Consequences of indifferentiability [Andreeva, Mennink, Preneel, ISC 2010] 12 / 59
Security notions for hashing Modern generic security Limitations of indifferentiability Only about the mode No security proof with a concrete primitive Only about single-stage games [Ristenpart et al., Eurocrypt 2011] Example: hash-based storage auditing 13 / 59 Z = h ( File ∥ C )
Security notions for hashing Modern generic security Limitations of indifferentiability Only about the mode No security proof with a concrete primitive Only about single-stage games [Ristenpart et al., Eurocrypt 2011] Example: hash-based storage auditing 13 / 59 Z = h ( File ∥ C )
Why permutation-based cryptography? The sponge construction Deck functions and modes Farfalle The full-state keyed duplex construction The outer keyed sponge and duplex constructions Keyed applications 4 The duplex construction Unkeyed applications Outline 3 Why permutation-based cryptography? 2 Modern generic security Hashing requirements Security notions for hashing 1 14 / 59
Why permutation-based cryptography? Symmetric crypto: what textbooks and intro’s say Symmetric cryptography primitives: Block ciphers Key stream generators Hash functions And their modes-of-use Picture by GlasgowAmateur 15 / 59
Why permutation-based cryptography? The truth about symmetric crypto today Block ciphers: 16 / 59
Why permutation-based cryptography? What block cipher are used for Hashing (Davies-Meyer) and its modes HMAC, MGF1, … Block encryption: ECB, CBC, … Stream encryption: synchronous: counter mode, OFB, … self-synchronizing: CFB MAC computation: CBC-MAC, C-MAC, … Authenticated encryption: OCB, GCM, CCM … 17 / 59
Why permutation-based cryptography? Block cipher operation 18 / 59
Why permutation-based cryptography? Block cipher operation: the inverse 19 / 59
Why permutation-based cryptography? When do you need the inverse? Indicated in red: Hashing and its modes HMAC, MGF1, … Block encryption: ECB, CBC, … Stream encryption: synchronous: counter mode, OFB, … self-synchronizing: CFB MAC computation: CBC-MAC, C-MAC, … Authenticated encryption: OCB, GCM, CCM … Most schemes with misuse-resistant claims So for most uses you don’t need the inverse! 20 / 59
Why permutation-based cryptography? Block cipher internals 21 / 59
Why permutation-based cryptography? Davies-Meyer compression function 22 / 59
Why permutation-based cryptography? Removing restrictions not required in hashing 23 / 59
Why permutation-based cryptography? Simplifying the view: iterated permutation 24 / 59
Why permutation-based cryptography? Designing a permutation Remaining problem: design of iterated permutation round function: good approaches known asymmetry: round constants Advantages with respect to block ciphers: no more need for effjcient inverse no more worries about key schedule 25 / 59 less barriers ⇒ more diffusion
Recommend
More recommend